MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52af61d1dabbca2d4b0fea38de7737ab22207cdf81604c54798cce8ccb3458bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52af61d1dabbca2d4b0fea38de7737ab22207cdf81604c54798cce8ccb3458bd
SHA3-384 hash: 49e1ea65c0cafbe41a8f3217d23c0909eddb0df8ab31dd123ce13aa6ec1093c1f5eaaf6fad5c2741bc68124b03bcef89
SHA1 hash: ef6c46a7942dc0b61d2878d8a6c1ae171bbf14c7
MD5 hash: adea2895b87bf02f3e3ad17e8e17e901
humanhash: snake-oklahoma-hamper-pasta
File name:SecuriteInfo.com.Win64.PWSX-gen.25941.20836
Download: download sample
File size:54'799'100 bytes
First seen:2024-01-20 13:29:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a000a2e6d5024eddeecd2ad0b8944509
ssdeep 786432:QG7Qap2VNDvHlRSBQszki42JwAcqmDAyiOfTTmjGMvYwChS:QMbGRPlAZd42JwT85aTTmSwAS
TLSH T155C7BD0773E601A5E5B3D2388AAB5503E773B4634730CADF329D06551FABAD09E7A720
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
dhash icon b1a0b493a6cacaf2
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
FR FR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Reading critical registry keys
Creating a file
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
anti-debug crypto evasive expand fingerprint lolbin overlay packed
Link:
https://www.filescan.io/uploads/65abcae42593e1cd0baafa1d/reports/5e7f2ed3-4650-4b47-9ce4-14c070cc1136/overview
Verdict:
Malicious
Labled as:
Trojan.GenCBL
Link:
https://www.hybrid-analysis.com/sample/52af61d1dabbca2d4b0fea38de7737ab22207cdf81604c54798cce8ccb3458bd
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.adwa.spyw
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1377974
Signature
Drops PE files to the startup folder
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377974 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 20/01/2024 Architecture: WINDOWS Score: 76 75 discord.com 2->75 77 api4.ipify.org 2->77 79 api.ipify.org 2->79 89 Multi AV Scanner detection for dropped file 2->89 91 Multi AV Scanner detection for submitted file 2->91 10 SecuriteInfo.com.Win64.PWSX-gen.25941.20836.exe 93 2->10         started        15 Update.exe 20 2->15         started        signatures3 process4 dnsIp5 81 api4.ipify.org 104.237.62.211, 443, 49720, 49724 WEBNXUS United States 10->81 83 discord.com 162.159.135.232, 443, 49721, 49725 CLOUDFLARENETUS United States 10->83 67 C:\Users\user\AppData\Roaming\...\Update.exe, PE32+ 10->67 dropped 69 C:\Users\user\AppData\...\node-dpapi.node, PE32+ 10->69 dropped 71 C:\Users\user\AppData\...\node_sqlite3.node, PE32+ 10->71 dropped 73 11 other files (10 malicious) 10->73 dropped 93 Overwrites Mozilla Firefox settings 10->93 95 Drops PE files to the startup folder 10->95 17 cmd.exe 1 10->17         started        20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        30 90 other processes 10->30 97 Tries to harvest and steal browser information (history, passwords, etc) 15->97 24 cmd.exe 15->24         started        26 cmd.exe 15->26         started        28 cmd.exe 15->28         started        32 77 other processes 15->32 file6 signatures7 process8 signatures9 85 Uses cmd line tools excessively to alter registry or file data 17->85 34 reg.exe 1 17->34         started        37 conhost.exe 17->37         started        39 HOSTNAME.EXE 1 20->39         started        43 2 other processes 22->43 45 2 other processes 24->45 47 2 other processes 26->47 41 powershell.exe 28->41         started        49 78 other processes 30->49 51 77 other processes 32->51 process10 signatures11 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->87 53 powershell.exe 41->53         started        55 powershell.exe 47->55         started        57 powershell.exe 51->57         started        59 powershell.exe 51->59         started        61 powershell.exe 51->61         started        63 3 other processes 51->63 process12 process13 65 powershell.exe 55->65         started       
Score:
6%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/52af61d1dabbca2d4b0fea38de7737ab22207cdf81604c54798cce8ccb3458bd
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-12 14:38:41 UTC
File Type:
PE+ (Exe)
Extracted files:
19
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkxwduo2xpfc2syp5i4n45zxvmrca7g7qfqeyvdzrthizszulc6q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240120-qrvwbaagcq/
Behaviour
Collects information from the system
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments